Abusing Atlassian, Archbee and Nuclino workspaces

Aug. 2, 2024

Mimecast Threat Research has identified a new phishing tactic where threat actors exploit compliance-related issues. These attackers deceive users into believing they must click on a link to address a compliance requirement, directing them to a fake company portal to harvest credentials or other sensitive information.

There’s quite a lot of personalization in the emails such as details of a ‘device’ and several references to the company domain they are sending these campaigns to increase validity. The sender address name always refers to the target organizations domain name in the aim of fooling end users into thinking it is from their internal department.

There are various URLs used in this campaign, one interesting use is of postmark URLs to redirect to the user to these unified workspace solutions.

• hxxps://click.pstmrk.it/3s/click.pstmrk.it/3s/click.pstmrk.it%2F3s%2Fclick.pstmrk.it%252F3s%252Fclick.pstmrk.it%25252F3s%25252Fapp.archbee.com%2525252Fpublic%2525252FPREVIEW-zC6lbWbDnmk5z3buJBCII%25252Fu4jK%25252FLz21AQ%25252FAQ%25252F82ec5a25-c50f-4c68-a1ad-64d3d3de6c19%25252F1%25252Fv1mx6BTihp%252Fu4jK%252FMz21AQ%252FAQ%252F81fdc556-5c20-4662-ae2e-00bb0fe3a7ee%252F1%252F1bKy8k_jhk%2Fu4jK%2FND21AQ%2FAQ%2Fb39933dc-3c34-4961-92a6-db7f088575be%2F1%2F6ayZ139fVi/u4jK/u0y1AQ/AQ/e869e477-658b-49e4-b61d-957766ad7b9f/1/lzhdvOcfmW/u4jK/vUy1AQ/AQ/9638350e-ed00-4ae7-8f62-b58ed9d0b391/1/i0yMJ-e4SI',

There is multiple obfuscation techniques utilized to hide the true destination of a URL:

• Multiple redirection
• hxxps://click.pstmrk.it/3s/click.pstmrk.it/3s/click.pstmrk.it%2F3s%2Fclick.pstmrk.it%252F3s...
• Encoded characters
• %2F, %252F, %25252F
• Tracking parameters
• u4jK, AQ, followed by strings like 82ec5a25-c50f-4c68-a1ad-64d3d3de6c19

Following the link, we see the below page on archbee.com containing another link to be clicked to access a document. The page indicates the user will need to ‘sign-in’ again to gain access.

We see similar pages hosted on confluence which is a service used by many organisations and is commonplace to collaborate for employees across a business.

All links on these pages again have various obfuscation techniques to evade detection, and once clicked users are presented with a Microsoft login page with two examples shown below.

Mimecast continues to see threat actors making use of services such as OneDrive and Google Docs to host files or links in their campaigns, but the use of workspaces such as Atlassian has not previously been heavily abused previously. However there has been a noticeable increase in the use of Atlassian to evade detection which will continue to be monitored.

Targets

Australia, prominent law firms

Targets

Sender header email address

• @re[.]commufa[.]jp
• @biglobe[.]ne[.]jp

URLs

• hxxps://click.pstmrk.it/3s/click.pstmrk.it%2F3s%2Fclick.pstmrk.it%252F3s%252Fbatesbooks.com%25252F%25253Fgnwihigb%252Fu4jK%252F_TK1AQ%252FAQ%252Feb4ca8cd-9fd8-441d-bd47-ba8515ce4ecb%252F1%252F29ti9u-YHt%2Fu4jK%2F-jK1AQ%2FAQ%2F5144fccb-e0c2-47a4-bc78-4996415f3747%2F1%2Fp92u3QTaSb/u4jK/ATO1AQ/AQ/2fd5814e-142f-44ef-9cf1-186f556a5be6/1/s3sdWJSj3H
• hxxps://click.pstmrk.it/3s/click.pstmrk.it/3s/click.pstmrk.it%2F3s%2Fclick.pstmrk.it%252F3s%252Fclick.pstmrk.it%25252F3s%25252Fapp.archbee.com%2525252Fpublic%2525252FPREVIEW-zC6lbWbDnmk5z3buJBCII%25252Fu4jK%25252FLz21AQ%25252FAQ%25252F82ec5a25-c50f-4c68-a1ad-64d3d3de6c19%25252F1%25252Fv1mx6BTihp%252Fu4jK%252FMz21AQ%252FAQ%252F81fdc556-5c20-4662-ae2e-00bb0fe3a7ee%252F1%252F1bKy8k_jhk%2Fu4jK%2FND21AQ%2FAQ%2Fb39933dc-3c34-4961-92a6-db7f088575be%2F1%2F6ayZ139fVi/u4jK/u0y1AQ/AQ/e869e477-658b-49e4-b61d-957766ad7b9f/1/lzhdvOcfmW/u4jK/vUy1AQ/AQ/9638350e-ed00-4ae7-8f62-b58ed9d0b391/1/i0yMJ-e4SI',